fix: add code to other response methods

server/handlers/authorize.go

@@ -80,10 +80,32 @@ func AuthorizeHandler() gin.HandlerFunc {
 		// used for response mode query or fragment
 		loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
 		loginURL := "/app?" + loginState
+
 		if responseMode == constants.ResponseModeFragment {
 			loginURL = "/app#" + loginState
 		}
 
+		if state == "" {
+			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+				"type": "authorization_response",
+				"response": map[string]interface{}{
+					"error":             "state_required",
+					"error_description": "state is required",
+				},
+			}, http.StatusOK)
+			return
+		}
+
+		if responseType == constants.ResponseTypeCode && codeChallenge == "" {
+			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+				"type": "authorization_response",
+				"response": map[string]interface{}{
+					"error":             "code_challenge_required",
+					"error_description": "code challenge is required",
+				},
+			}, http.StatusOK)
+		}
+
 		loginError := map[string]interface{}{
 			"type": "authorization_response",
 			"response": map[string]interface{}{
@@ -91,7 +113,6 @@ func AuthorizeHandler() gin.HandlerFunc {
 				"error_description": "Login is required",
 			},
 		}
-
 		sessionToken, err := cookie.GetSession(gc)
 		if err != nil {
 			log.Debug("GetSession failed: ", err)
@@ -126,9 +147,6 @@ func AuthorizeHandler() gin.HandlerFunc {
 			sessionKey = claims.LoginMethod + ":" + user.ID
 		}
 
-		// rollover the session for security
-		go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
-		if responseType == constants.ResponseTypeCode {
 		nonce := uuid.New().String()
 		newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
 		if err != nil {
@@ -137,6 +155,16 @@ func AuthorizeHandler() gin.HandlerFunc {
 			return
 		}
 
+		code := uuid.New().String()
+		if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
+			log.Debug("SetState failed: ", err)
+			handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+			return
+		}
+
+		// rollover the session for security
+		go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
+		if responseType == constants.ResponseTypeCode {
 			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken); err != nil {
 				log.Debug("SetUserSession failed: ", err)
 				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
@@ -144,12 +172,6 @@ func AuthorizeHandler() gin.HandlerFunc {
 			}
 
 			cookie.SetSession(gc, newSessionToken)
-			code := uuid.New().String()
-			if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
-				log.Debug("SetState failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
-				return
-			}
 
 			// in case, response type is code and user is already logged in send the code and state
 			// and cookie session will already be rolled over and set
@@ -228,6 +250,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 				"scope":        scope,
 				"token_type":   "Bearer",
 				"expires_in":   expiresIn,
+				"code":         code,
 			}
 
 			if authToken.RefreshToken != nil {
@@ -274,10 +297,6 @@ func validateAuthorizeRequest(responseType, responseMode, clientID, state, codeC
 		return fmt.Errorf("invalid client_id %s", clientID)
 	}
 
-	if strings.TrimSpace(state) == "" {
-		return fmt.Errorf("state is required")
-	}
-
 	return nil
 }